Overview
Meddy, Inc. (“Meddy,” “we,” “us,” or “our”) operates an AI-powered platform that helps pre-med students plan coursework, track experiences, build school lists, draft essays and resumes, manage applications, and prepare for medical school. This Privacy Policy explains what we collect, why, how we handle it, and the choices and rights you have.
It applies to our websites, web and mobile applications, APIs, browser extensions, and any other product or service that links to it (together, the “Services”), including features we add over time. Capitalized terms not defined here have the meaning given in our Terms of Service.
Institutional deployments. When you access Meddy through a university, program, or other organization (for example, an enterprise or campus deployment), that institution may act as the controller of certain data, and a separate agreement with the institution governs how that data is handled. See Students & Educational Institutions.
Information We Collect
We collect the categories of information below. The specific data depends on how you use the Services.
Information you provide
- Account information: name, email address, password or authentication credentials, and profile details, handled through our authentication provider.
- Profile and academic information: school, class year, major, GPA, MCAT status and scores, prerequisite coursework, target schools, goals, and other details you enter to personalize your plan.
- Content you create or upload: experiences and activities, essays and drafts, resumes, transcripts, application materials, recommendation-letter details, documents, and messages.
- AI inputs: prompts, questions, instructions, and the content you submit to our AI chat, advising, and recommendation features.
- Payment information: subscription and billing details processed by our payment processor. We receive limited transaction data (such as plan, status, and the last four digits of a card) but do not store full payment card numbers.
- Communications: messages you send to support, survey responses, and feedback.
Information collected automatically
- Usage data: features used, pages viewed, actions taken, and timestamps.
- Device and log data: IP address, browser and device type, operating system, identifiers, and diagnostic and crash data.
- Cookies and similar technologies: see Cookies & Tracking.
Information from third parties
- Single sign-on: if you sign in with a third-party provider (such as Google), we receive basic profile information you authorize.
- Integrations you connect: data from services you choose to link, such as calendar events when you connect a calendar.
- Institutions: where you join through a school or organization, we may receive information needed to verify eligibility and provide the deployment.
Sensitive Information
Some information you choose to provide may be considered “sensitive personal information” under California law or a “special category” of data under the GDPR, for example, self-reported race or ethnicity, or information revealing sexual orientation, when you add it to your demographic profile.
Providing this information is optional. We use it only for the purposes you would reasonably expect (such as personalizing guidance you request and, where you opt in, features that consider these signals) and not to infer characteristics about you for advertising. We do not sell it, we do not share it for cross-context behavioral advertising, and you can remove it at any time in your profile. Where the law requires your consent to process this information, we ask for it.
How We Use Information
We use information for the following purposes:
- Provide and operate the Services, including your account, dashboards, and features.
- Personalize your experience, recommendations, and guidance based on what you enter.
- Power AI features such as chat, advising, drafting, and recommendations (see AI Features & Automated Processing).
- Process payments, manage subscriptions, and prevent fraudulent transactions.
- Communicate with you about your account, updates, security, and support.
- Maintain safety and security, detect and prevent abuse, and enforce our terms.
- Improve the Services, including troubleshooting and developing new features, using usage data and de-identified or aggregated information.
- Comply with law and respond to lawful requests and legal claims.
For users in the EEA, UK, and Switzerland, our legal bases for processing are described in Your Privacy Rights.
AI Features & Automated Processing
Meddy uses artificial intelligence (including large language models provided by third parties) to power features such as AI chat, advising, recommendations, drafting assistance, and document analysis. When you use these features, the inputs you provide and relevant profile or content data are processed to generate a response.
- How inputs are processed. We send the information needed to fulfill your request to our AI providers so they can return a result to you. This may include your prompts and the content you choose to include.
- No training of foundation models on your content. We do not use your personal content, prompts, essays, or documents to train third-party foundation models, and we work with AI providers under terms that do not permit them to train their models on data submitted through our accounts. We may use de-identified or aggregated data to evaluate and improve our own features.
- Assistive, not autonomous. AI outputs are suggestions to help you. They can be inaccurate or incomplete and are not professional, medical, legal, financial, or admissions advice. We do not use AI to make decisions that produce legal or similarly significant effects about you without human involvement. You remain responsible for reviewing outputs before you rely on them.
For more on ownership of inputs and outputs, and the limits of AI, see the AI provisions of our Terms of Service.
Data Retention
We keep personal information for as long as your account is active or as needed to provide the Services. After that, we retain and use information only as necessary to comply with legal obligations, resolve disputes, enforce our agreements, and maintain security, and then delete or de-identify it. Residual copies may persist in backups for a limited period before they are overwritten.
You can delete your content or close your account at any time; see Your Privacy Rights.
Data Security
We use administrative, technical, and organizational measures designed to protect information, including encryption in transit, access controls, and reputable infrastructure providers. Our authentication, database, and storage layers are operated by established providers with their own security programs.
No method of transmission or storage is completely secure, so we cannot guarantee absolute security. You are responsible for keeping your credentials confidential. If we become aware of a breach affecting your personal information, we will notify you and regulators as required by law.
International Data Transfers
We are based in the United States and process information there and in other countries where we or our providers operate. If you access the Services from outside the United States, you understand your information will be transferred to and processed in the United States.
Where we transfer personal data from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum), or another lawful transfer mechanism.
Your Privacy Rights
You can access, update, export, or delete much of your information directly in the app. Depending on where you live, you may also have the rights below. To exercise a right, use the in-app tools or contact us at privacy@trymeddy.com. We will not discriminate against you for exercising your rights.
Everyone
- Access and export your information.
- Correct inaccurate information.
- Delete your content and close your account.
California (CCPA/CPRA)
California residents have the right to know, access, correct, and delete personal information; to opt out of “sale” or “sharing” (we do neither); and to limit the use of sensitive personal information. You may use an authorized agent, and we honor Global Privacy Control signals. We respond within the timeframes the law requires (generally 45 days).
Europe, UK & Switzerland (GDPR)
You have the rights of access, rectification, erasure, restriction, portability, and objection, and the right to withdraw consent. Our legal bases for processing are: performance of a contract (to provide the Services), legitimate interests (to secure and improve the Services), consent (for optional features and certain sensitive data), and legal obligation. You may lodge a complaint with your supervisory authority.
Other U.S. states
Residents of states with comprehensive privacy laws (such as Virginia, Colorado, Connecticut, and others) have comparable rights to access, correct, delete, and obtain a copy of their personal data, and to opt out of targeted advertising and sale, neither of which we do. You may appeal a decision by contacting us.
Students & Educational Institutions
Meddy offers deployments for universities and programs. When you use Meddy through an institution, we act as a service provider to that institution and process education records only as the institution directs.
- FERPA. Where the Family Educational Rights and Privacy Act applies, we handle personally identifiable information from education records under the “school official” exception (34 CFR § 99.31(a)(1)): performing an institutional function, under the institution’s direct control, using the data only for authorized purposes, and not re-disclosing it without authorization.
- The institution’s agreement controls. Our data-processing or institutional agreement with the school governs that data and prevails over this Policy to the extent of any conflict for institutional data. We do not use student education records to train foundation models or for advertising.
- Directing requests. If you access Meddy through your school, please direct privacy requests about education records to your institution, which we will support.
Children's Privacy
The Services are intended for users who are at least 13 years old, and are designed for college-level pre-med students. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us personal information, contact us at privacy@trymeddy.com and we will take appropriate steps to delete it. Where the Services are made available to younger students through an institution, we process that data at the institution’s direction and consistent with applicable law.
Third-Party Services
The Services may link to or integrate with third-party websites, applications, and services that we do not control. Their use of your information is governed by their own privacy policies, and we are not responsible for their practices. We encourage you to review them before using those services.
Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above and, for material changes, provide additional notice (such as in-app or by email). Your continued use of the Services after an update takes effect means you accept the revised Policy.
Contact Us
Questions about this Policy or your information? Contact our privacy team at privacy@trymeddy.com. For legal notices, write to legal@trymeddy.com. You may also reach general support at support@trymeddy.com.
This Policy is provided by Meddy, Inc.
Last updated · Version 2026-05-05 · © 2026 Meddy